squid/RELEASENOTES.html

449 lines
17 KiB
HTML

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<HTML>
<HEAD>
<META NAME="GENERATOR" CONTENT="LinuxDoc-Tools 0.9.69">
<TITLE>Squid 3.3.11 release notes</TITLE>
</HEAD>
<BODY>
<H1>Squid 3.3.11 release notes</H1>
<H2>Squid Developers</H2>
<HR>
<EM>This document contains the release notes for version 3.3 of Squid.
Squid is a WWW Cache application developed by the National Laboratory
for Applied Network Research and members of the Web Caching community.</EM>
<HR>
<P>
<H2><A NAME="toc1">1.</A> <A HREF="#s1">Notice</A></H2>
<UL>
<LI><A NAME="toc1.1">1.1</A> <A HREF="#ss1.1">Known issues</A>
<LI><A NAME="toc1.2">1.2</A> <A HREF="#ss1.2">Changes since earlier releases of Squid-3.3</A>
</UL>
<P>
<H2><A NAME="toc2">2.</A> <A HREF="#s2">Major new features since Squid-3.2</A></H2>
<UL>
<LI><A NAME="toc2.1">2.1</A> <A HREF="#ss2.1">SQL Database logging helper</A>
<LI><A NAME="toc2.2">2.2</A> <A HREF="#ss2.2">Time-Quota session helper</A>
<LI><A NAME="toc2.3">2.3</A> <A HREF="#ss2.3">SSL-Bump Server First</A>
<LI><A NAME="toc2.4">2.4</A> <A HREF="#ss2.4">Server Certificate Mimic</A>
<LI><A NAME="toc2.5">2.5</A> <A HREF="#ss2.5">Custom HTTP request headers</A>
</UL>
<P>
<H2><A NAME="toc3">3.</A> <A HREF="#s3">Changes to squid.conf since Squid-3.2</A></H2>
<UL>
<LI><A NAME="toc3.1">3.1</A> <A HREF="#ss3.1">New tags</A>
<LI><A NAME="toc3.2">3.2</A> <A HREF="#ss3.2">Changes to existing tags</A>
<LI><A NAME="toc3.3">3.3</A> <A HREF="#ss3.3">Removed tags</A>
</UL>
<P>
<H2><A NAME="toc4">4.</A> <A HREF="#s4">Changes to ./configure options since Squid-3.2</A></H2>
<UL>
<LI><A NAME="toc4.1">4.1</A> <A HREF="#ss4.1">New options</A>
<LI><A NAME="toc4.2">4.2</A> <A HREF="#ss4.2">Changes to existing options</A>
<LI><A NAME="toc4.3">4.3</A> <A HREF="#ss4.3">Removed options</A>
</UL>
<P>
<H2><A NAME="toc5">5.</A> <A HREF="#s5">Regressions since Squid-2.7</A></H2>
<UL>
<LI><A NAME="toc5.1">5.1</A> <A HREF="#ss5.1">Missing squid.conf options available in Squid-2.7</A>
</UL>
<HR>
<H2><A NAME="s1">1.</A> <A HREF="#toc1">Notice</A></H2>
<P>The Squid Team are pleased to announce the release of Squid-3.3.11.</P>
<P>This new release is available for download from
<A HREF="http://www.squid-cache.org/Versions/v3/3.3/">http://www.squid-cache.org/Versions/v3/3.3/</A> or the
<A HREF="http://www.squid-cache.org/Mirrors/http-mirrors.html">mirrors</A>.</P>
<P>A large number of the design flaws in SSL-Bump feature have been fixed along with general improvements all around.
While this release is not fully bug-free we believe it is ready for use in production on many systems.</P>
<P>We welcome feedback and bug reports. If you find a bug, please see
<A HREF="http://wiki.squid-cache.org/SquidFaq/BugReporting">http://wiki.squid-cache.org/SquidFaq/BugReporting</A>
for how to submit a report with a stack trace.</P>
<H2><A NAME="ss1.1">1.1</A> <A HREF="#toc1.1">Known issues</A>
</H2>
<P>Although this release is deemed good enough for use in many setups, please note the existence of
<A HREF="http://bugs.squid-cache.org/buglist.cgi?query_format=advanced&amp;product=Squid&amp;bug_status=UNCONFIRMED&amp;bug_status=NEW&amp;bug_status=ASSIGNED&amp;bug_status=REOPENED&amp;version=3.3">open bugs against Squid-3.3</A>.</P>
<H2><A NAME="ss1.2">1.2</A> <A HREF="#toc1.2">Changes since earlier releases of Squid-3.3</A>
</H2>
<P>The 3.3 change history can be
<A HREF="http://www.squid-cache.org/Versions/v3/3.3/changesets/">viewed here</A>.</P>
<H2><A NAME="s2">2.</A> <A HREF="#toc2">Major new features since Squid-3.2</A></H2>
<P>Squid 3.3 represents a new feature release above 3.2.</P>
<P>The most important of these new features are:
<UL>
<LI>SQL Database logging helper</LI>
<LI>Time-Quota session helper</LI>
<LI>SSL-Bump Server First</LI>
<LI>Server Certificate Mimic</LI>
<LI>Custom HTTP request headers</LI>
</UL>
</P>
<P>Most user-facing changes are reflected in squid.conf (see below).</P>
<H2><A NAME="ss2.1">2.1</A> <A HREF="#toc2.1">SQL Database logging helper</A>
</H2>
<P><EM>log_db_daemon</EM> - Database logging daemon for Squid</P>
<P>This program writes Squid access.log entries to an SQL database.
Written in Perl it can utilize any database supported by the Perl
database abstraction layer.</P>
<P>NOTE: Presently it only accepts the Squid native log format.</P>
<H2><A NAME="ss2.2">2.2</A> <A HREF="#toc2.2">Time-Quota session helper</A>
</H2>
<P><EM>ext_time_quota_acl</EM> - Time quota external ACL helper.</P>
<P>Allows an administrator to define time budgets (quota) for the
users of Squid to limit the time using Squid.</P>
<P>This is useful for corporate lunch time allocations, wifi portal
pay-per-minute installations or for parental control of children.</P>
<P>The administrator can define a time budget (e.g. 1 hour per day)
which is enforced through this helper using session estimations
of their browsing time. A 'pause' threshold is given in seconds
and defines the period between two requests to be treated as part
of the same session. Pauses shorter than this value will be
counted against the quota, longer ones ignored.</P>
<H2><A NAME="ss2.3">2.3</A> <A HREF="#toc2.3">SSL-Bump Server First</A>
</H2>
<P>Details at
<A HREF="http://wiki.squid-cache.org/Features/BumpSslServerFirst">http://wiki.squid-cache.org/Features/BumpSslServerFirst</A>.</P>
<P>When an intercepted connection is received, Squid first connects
to the server using SSL and receives the server certificate.
Squid then uses the host name inside the true server certificate
to generate a fake one and impersonates the server while still
using the already established secure connection to the server.</P>
<P>Bumping server first is essentially required for handling
intercepted HTTPS connections but the same scheme should be used
for most HTTP CONNECT requests because it offers a few advantages
compared to the old bump-client-first approach:</P>
<P>
<UL>
<LI>When Squid knows valid server certificate details, it can
generate its fake server certificate with those details.
With the bump-client-first scheme, all those details are lost.
In general, browsers do not care about those details but there
may be HTTP clients (or even human users) that require or could
benefit from knowing them.
</LI>
<LI>When a server sends a bad certificate, Squid may be able to
replicate that brokenness in its own fake certificate, giving
the HTTP client control whether to ignore the problem or
terminate the transaction. With bump-client-furst, it is
difficult to support similar dynamic, user-directed opt out;
Squid itself has to decide what to do when the server
certificate cannot be validated.
</LI>
<LI>When a server asks for a client certificate, Squid may be
able to ask the client and then forward the client certificate
to the server. Such client certificate handling may not be
possible with the bump-client-first scheme because it would
have to be done after the SSL handshake.
</LI>
<LI>Some clients (e.g., Rekonq browser v0.7.x) do not send host
names in CONNECT requests. Such clients require bump-server-first
even in forward proxying mode. Unfortunately, there are other
problems with fully supporting such clients (i.e., Squid does
not know whether the IP address in the CONNECT request is what
the user have typed into the address bar) so not all features
will work well for them until more specialized detection code
is added.</LI>
</UL>
</P>
<H2><A NAME="ss2.4">2.4</A> <A HREF="#toc2.4">Server Certificate Mimic</A>
</H2>
<P>Details at
<A HREF="http://wiki.squid-cache.org/Features/MimicSslServerCert">http://wiki.squid-cache.org/Features/MimicSslServerCert</A>.</P>
<P>One of the SslBump features serious drawbacks is the loss of
information embedded in SSL server certificate.
This certificate mimic feature passes original SSL server
certificate information to the user. Allowing the user to
make an informed decision on whether to trust the server
certificate.</P>
<H2><A NAME="ss2.5">2.5</A> <A HREF="#toc2.5">Custom HTTP request headers</A>
</H2>
<P>The <EM>request_header_add</EM> option is added to insert
HTTP header fields to outgoing HTTP requests (i.e.,
request headers sent by Squid to the next HTTP hop such as a
cache peer or an origin server). The option has no effect on
cache hit traffic or requests serviced by Squid and ICAP.</P>
<P>WARNING: If a standard HTTP header name is used, Squid does not check whether
the new header conflicts with any existing headers or violates
HTTP rules. If the request to be modified already contains a
field with the same name, the old field is preserved but the
header field values are not merged.</P>
<P>Field-value set can be either a token or a quoted string. If quoted
string format is used, then the surrounding quotes are removed
while escape sequences and %macros are processed.</P>
<P>In theory, all of the <EM>logformat</EM> codes can be used as %macros.
However, unlike logging (which happens at the very end of
transaction lifetime), the transaction may not yet have enough
information to expand a macro when the new header value is needed.
And some information may already be available to Squid but not yet
committed where the macro expansion code can access it (please report
such instances!). The macro will be expanded into a single dash
('-') in such cases. Not all macros have been tested.</P>
<P>One or more Squid ACLs may be specified to restrict header
injection to matching requests. As always in squid.conf, all
ACLs in an option ACL list must be satisfied for the insertion
to happen. The <EM>request_header_add</EM> option supports fast ACLs only.</P>
<H2><A NAME="s3">3.</A> <A HREF="#toc3">Changes to squid.conf since Squid-3.2</A></H2>
<P>There have been changes to Squid's configuration file since Squid-3.2.</P>
<P>This section gives a thorough account of those changes in three categories:</P>
<P>
<UL>
<LI>
<A HREF="#newtags">New tags</A></LI>
<LI>
<A HREF="#modifiedtags">Changes to existing tags</A></LI>
<LI>
<A HREF="#removedtags">Removed tags</A></LI>
</UL>
</P>
<H2><A NAME="newtags"></A> <A NAME="ss3.1">3.1</A> <A HREF="#toc3.1">New tags</A>
</H2>
<P>
<DL>
<DT><B>cache_miss_revalidate</B><DD>
<P>Whether Squid is to pass-through If-Modified-Since and If-None-Match headers on cache MISS.
Revalidation requests can prevent cache gathering objects to HIT on.</P>
<P>Based on the Squid-2.7 <EM>ignore_ims_on_miss</EM> feature.</P>
<P><EM>IMPORTANT:</EM> the meaning for on/off values has changed along with the name since 2.7.</P>
<DT><B>request_header_add</B><DD>
<P>New directive to add custom headers on HTTP traffic sent to upstream servers.</P>
<DT><B>sslproxy_cert_sign</B><DD>
<P>New option to determine how the client certificate sent to upstream servers is signed.</P>
<DT><B>sslproxy_cert_adapt</B><DD>
<P>New option to adapt certain properties of outgoing SSL certificates generated for use when bumping SSL to an upstream server.</P>
</DL>
</P>
<H2><A NAME="modifiedtags"></A> <A NAME="ss3.2">3.2</A> <A HREF="#toc3.2">Changes to existing tags</A>
</H2>
<P>
<DL>
<DT><B>acl</B><DD>
<P><EM>myport</EM> and <EM>myip</EM>ACL types replaced with <EM>localport</EM> and <EM>localip</EM> respectively.
To reflect that it matches the TCP connection details and not the squid.conf port.
This matters when dealing with intercepted traffic, where the Squid receiving port differs from the TCP connection IP:port.
Always use <EM>myportname</EM> type to match the squid.conf port details.</P>
<P>New default built-in ACLs for testing SSL certificate properties.</P>
<P><EM>ssl::certHasExpired</EM>,
<EM>ssl::certNotYetValid</EM>,
<EM>ssl::certDomainMismatch</EM>,
<EM>ssl::certUntrusted</EM>,
<EM>ssl::certSelfSigned</EM>.</P>
<DT><B>external_acl_type</B><DD>
<P><EM>%ACL</EM> format tag ported from 2.6.
Sends the name of ACL being tested to the external helper.</P>
<P><EM>%DATA</EM> format tag ported from 2.6.
Inserts the ACL arguments into a particular location of the helper input instead of at the end of the line.</P>
<DT><B>logformat</B><DD>
<P>New token <EM>%ssl::bump_mode</EM> to log the SSL-bump mode type performed on a request.
Logs values of: <EM>-</EM>, <EM>none</EM>, <EM>client-first</EM>, or <EM>server-first</EM>.</P>
<P>New token of <EM>%ssl::&gt;cert_subject</EM> to log the Subject field of a SSL certificate received from the client.</P>
<P>New token of <EM>%ssl::&gt;cert_issuer</EM> to log the Issuer field of a SSL certificate received from the client.</P>
<DT><B>ssl_bump</B><DD>
<P>New action types <EM>none</EM>, <EM>client-first</EM>, <EM>server-first</EM>. The default is <EM>none</EM>.</P>
<P>Use of <EM>allow</EM>/<EM>deny</EM> is now deprecated and they should be removed as soon as possible.
To retain the exact same behaviour between 3.3 and older releases replace <EM>deny</EM> with <EM>none</EM>,
and <EM>allow</EM> with <EM>client-first</EM>. However an upgrade to <EM>server-first</EM> is the recommended.</P>
<P><EM>NOTE</EM>: Mixing of allow/deny with the new action types is prohibited and will cause Squid to exit with a FATAL error.</P>
</DL>
</P>
<H2><A NAME="removedtags"></A> <A NAME="ss3.3">3.3</A> <A HREF="#toc3.3">Removed tags</A>
</H2>
<P>
<DL>
<DT><B>ignore_ims_on_miss</B><DD>
<P>This option has been replaced by the <EM>cache_miss_revalidate</EM> feature.</P>
</DL>
</P>
<H2><A NAME="s4">4.</A> <A HREF="#toc4">Changes to ./configure options since Squid-3.2</A></H2>
<P>There have been some changes to Squid's build configuration since Squid-3.2.</P>
<P>This section gives an account of those changes in three categories:</P>
<P>
<UL>
<LI>
<A HREF="#newoptions">New options</A></LI>
<LI>
<A HREF="#modifiedoptions">Changes to existing options</A></LI>
<LI>
<A HREF="#removedoptions">Removed options</A></LI>
</UL>
</P>
<H2><A NAME="newoptions"></A> <A NAME="ss4.1">4.1</A> <A HREF="#toc4.1">New options</A>
</H2>
<P>
<DL>
<P><EM>There are no new ./configure options in Squid-3.3.</EM></P>
</DL>
</P>
<H2><A NAME="modifiedoptions"></A> <A NAME="ss4.2">4.2</A> <A HREF="#toc4.2">Changes to existing options</A>
</H2>
<P>
<DL>
<DT><B>--enable-kqueue</B><DD>
<P>kqueue network I/O module is now built by default when it is available.
This option is no longer required to enable kqueue support,
but if used will abort build when kqueue dependencies are missing or broken.</P>
<DT><B>--disable-kqueue</B><DD>
<P>kqueue network I/O module is now built by default when it is available.
This configure option is now needed to disable it. Previously it did nothing.</P>
</DL>
</P>
<H2><A NAME="removedoptions"></A> <A NAME="ss4.3">4.3</A> <A HREF="#toc4.3">Removed options</A>
</H2>
<P>
<DL>
<DT><B>--enable-ntlm-fail-open</B><DD>
<P>This has not been supported by Squid for several versions.</P>
</DL>
</P>
<H2><A NAME="s5">5.</A> <A HREF="#toc5">Regressions since Squid-2.7</A></H2>
<P>Some squid.conf and ./configure options which were available in Squid-2.7 are not yet available in Squid-3.3</P>
<P>If you need something to do then porting one of these from Squid-2 to Squid-3 is most welcome.</P>
<H2><A NAME="ss5.1">5.1</A> <A HREF="#toc5.1">Missing squid.conf options available in Squid-2.7</A>
</H2>
<P>
<DL>
<DT><B>broken_vary_encoding</B><DD>
<P>Not yet ported from 2.6</P>
<DT><B>cache_dir</B><DD>
<P><EM>COSS</EM> storage type is lacking stability fixes from 2.6</P>
<P>COSS <EM>overwrite-percent=</EM> option not yet ported from 2.6</P>
<P>COSS <EM>max-stripe-waste=</EM> option not yet ported from 2.6</P>
<P>COSS <EM>membufs=</EM> option not yet ported from 2.6</P>
<P>COSS <EM>maxfullbufs=</EM> option not yet ported from 2.6</P>
<DT><B>cache_peer</B><DD>
<P><EM>idle=</EM> not yet ported from 2.7</P>
<P><EM>monitorinterval=</EM> not yet ported from 2.6</P>
<P><EM>monitorsize=</EM> not yet ported from 2.6</P>
<P><EM>monitortimeout=</EM> not yet ported from 2.6</P>
<P><EM>monitorurl=</EM> not yet ported from 2.6</P>
<DT><B>cache_vary</B><DD>
<P>Not yet ported from 2.6</P>
<DT><B>collapsed_forwarding</B><DD>
<P>Not yet ported from 2.6</P>
<DT><B>error_map</B><DD>
<P>Not yet ported from 2.6</P>
<DT><B>external_refresh_check</B><DD>
<P>Not yet ported from 2.7</P>
<DT><B>location_rewrite_access</B><DD>
<P>Not yet ported from 2.6</P>
<DT><B>location_rewrite_children</B><DD>
<P>Not yet ported from 2.6</P>
<DT><B>location_rewrite_concurrency</B><DD>
<P>Not yet ported from 2.6</P>
<DT><B>location_rewrite_program</B><DD>
<P>Not yet ported from 2.6</P>
<DT><B>refresh_pattern</B><DD>
<P><EM>stale-while-revalidate=</EM> not yet ported from 2.7</P>
<P><EM>ignore-stale-while-revalidate=</EM> not yet ported from 2.7</P>
<P><EM>negative-ttl=</EM> not yet ported from 2.7</P>
<DT><B>refresh_stale_hit</B><DD>
<P>Not yet ported from 2.7</P>
<DT><B>storeurl_access</B><DD>
<P>Not yet ported from 2.7</P>
<DT><B>storeurl_rewrite_children</B><DD>
<P>Not yet ported from 2.7</P>
<DT><B>storeurl_rewrite_concurrency</B><DD>
<P>Not yet ported from 2.7</P>
<DT><B>storeurl_rewrite_program</B><DD>
<P>Not yet ported from 2.7</P>
</DL>
</P>
</BODY>
</HTML>